Skip to content

🔒 Add MetaMask Security Code Scanner#1

Merged
shahbaz17 merged 1 commit intomainfrom
security/add-sast-scanner
Mar 18, 2026
Merged

🔒 Add MetaMask Security Code Scanner#1
shahbaz17 merged 1 commit intomainfrom
security/add-sast-scanner

Conversation

@action-security-code-scanner
Copy link
Copy Markdown

@action-security-code-scanner action-security-code-scanner bot commented Mar 17, 2026

⚠️ Important Notice - Action Required

This PR may be auto-merged in the future if not configured.

If your team does not need the security scanner:

  1. Add a comment on this PR explaining why your team is opting out
  2. Close this PR to prevent auto-merge
  3. Add a .github/no-security-scanner file to your repository to prevent future onboarding attempts

If you need the scanner but want to customize it:

  1. Complete the checklist below
  2. Review and modify the workflow file as needed
  3. Approve and merge this PR when ready

If no action is taken, this PR may be automatically merged after a grace period to ensure baseline security coverage across all repositories.

Required Action

Prior to merging this pull request, please ensure the following has been completed:

  • The lines specifying branches correctly specify this repository's default branch (usually main or master).
  • Any paths you would like to ignore have been added to the paths-ignored configuration option (see setup)
  • Language configuration has been reviewed - ignore falsely detected languages or add build commands for Java/Kotlin if needed (see Configuration section below)
  • Any existing CodeQL configuration has been disabled.

What is the Security Code Scanner?

This pull request enables the MetaMask Security Code Scanner GitHub Action. This action runs on each pull request, and will flag potential vulnerabilities as a review comment. It will also scan this repository's default branch, and log any findings in this repository's Code Scanning Alerts Tab.

Security Scanner Screenshot

The action itself runs various static analysis engines behind the scenes. Currently, it is only running GitHub's CodeQL engine. For this reason, we recommend disabling any existing CodeQL configuration your repository may have.

How do I interact with the tool?

Every finding raised by the Security Code Scanner will present context behind the potential vulnerability identified, and allow the developer to fix, or dismiss it.

The finding will automatically be dismissed by pushing a commit that fixes the identified issue, or by manually dismissing the alert using the button in GitHub's UI. If dismissing an alert manually, please add any additional context surrounding the reason for dismissal, as this informs our decision to disable, or improve any poor performing rules.

Alert Dismissal Screenshot

Configuration

Language Configuration

The scanner auto-detects languages in your repository. If you need to customize language-specific settings, you can modify the languages-config section in the workflow file.

Common use cases:

  1. Ignore falsely detected languages:

    languages-config: |
  [
    {
      "language": "ruby",
      "ignore": true
    }
  ]

  2. Configure Java/Kotlin builds:

    languages-config: |
  [
    {
      "language": "java-kotlin",
      "build_mode": "manual",
      "build_command": "./gradlew build",
      "version": "21",
      "distribution": "temurin"
    }
  ]

Supported languages: javascript-typescript, python, java-kotlin, go, cpp, csharp, ruby

Build modes: none, autobuild, manual

Additional Configuration

For more configuration options, please review the tool's README.

For any additional questions, please reach out to @app-sec in Slack.

🤖 This PR was automatically created by the MetaMask Security onboarding system

chore: add MetaMask Security Code Scanner workflow
0ca832f 
This PR adds the MetaMask Security Code Scanner workflow to enable
automated security scanning of the codebase.

The scanner will run on:
- Push to main branch
- Pull requests to main branch
- Manual workflow dispatch

To configure the scanner for your repository's specific needs,
please review the workflow file and adjust as necessary.
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Mar 17, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

shahbaz17
shahbaz17 approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@shahbaz17 shahbaz17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@shahbaz17 shahbaz17 merged commit f431a1f into main Mar 18, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shahbaz17 shahbaz17 shahbaz17 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@github-advanced-security @shahbaz17